I've got a couple of Mac OS X 10.6.8 Server web servers that run a custom AMP255 (Apache 2.x, MySQL 5.x, and PHP 5.x) stack installed using MacPorts. We've got a lot of Mac OS X Server servers and generally install SSL certs via Server Admin and they "just work" in the built-in services, however, these web servers have always had SSL certs installed in a non-standard location and used only for Apache.

Long story short, we're trying to standardize this part of our administration and install certs via Server Admin, but have run into the following issue: when the certs are installed via Server Admin and referenced in our Apache conf files, Apache then prompts for a password upon trying to start. It does not seem to be any password we know, certainly not the admin or keychain passwords! We've added the _www user to the certusers (mainly just to ensure they have the proper access to the private key in /etc/certificates/).

So, with the custom installed certs we have the following files (basically just pasted in from the company we purchase our certs from):

-rw-r--r--   1 root  admin  1395 Apr 10 11:22 *.domain.tld.ca
-rw-r--r--   1 root  admin  1656 Apr 10 11:21 *.domain.tld.cert
-rw-r--r--   1 root  admin  1680 Apr 10 11:22 *.domain.tld.key

And the following in the VirtualHost in /opt/local/apache2/conf/extra/httpd-ssl.conf:

SSLCertificateFile /path/to/certs/*.domain.tld.cert
SSLCertificateKeyFile /path/to/certs/*.domain.tld.key
SSLCACertificateFile /path/to/certs/*.domain.tld.ca

This setup functions normally.

If we use the certs installed via Server Admin, which both Server Admin & Keychain Assistant show as valid, they're installed in /etc/certificates/ as follows:

-rw-r--r--    1 root  wheel      1655 Apr  9 13:44 *.domain.tld.SOMELONGHASH.cert.pem
-rw-r--r--    1 root  wheel      4266 Apr  9 13:44 *.domain.tld.SOMELONGHASH.chain.pem
-rw-r-----    1 root  certusers  3406 Apr  9 13:44 *.domain.tld.SOMELONGHASH.concat.pem
-rw-r-----    1 root  certusers  1751 Apr  9 13:44 *.domain.tld.SOMELONGHASH.key.pem

And if we replace the aforementioned lines in our httpd-ssl.conf with the following:

SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem

This prompts for the unknown password. I have also tried httpd-ssl.conf configured as follows:

SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCertificateChainFile /etc/certificates/*.domain.tld.SOMELONGHASH.concat.pem

And as:

SSLCertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.cert.pem
SSLCertificateKeyFile /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem
SSLCACertificateFile /etc/certificates/*.domain.tld.SOMELONGHASH.chain.pem

We've verified that the certificate is configured to allow all applications access it (in Keychain Assistant). A diff of the /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem & *.domain.tld.key files shows the former is encrypted and the latter is not, so we're assuming that Server Admin/Keychain Assistant is encrypting them for some reason.

I know I can create an unencrypted key file as follows:

sudo openssl rsa -in /etc/certificates/*.domain.tld.SOMELONGHASH.key.pem -out /etc/certificates/*.domain.tld.SOMELONGHASH.key.no_password.pem

But, I can't do that without entering the password. I thought maybe I could export an unencrypted copy of the key from Keychain Admin, but I'm not seeing such an option (not to mention that the .pem options are greyed out in all export options).

Any assistance would be greatly appreciated.